[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
                FEDERAL IT SECURITY: THE FUTURE OF FISMA

=======================================================================

                             JOINT HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                and the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 7, 2007

                               __________

                           Serial No. 110-32

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform


                                 ______
                                     
                    U.S. GOVERNMENT PRINTING OFFICE
39-025                      WASHINGTON : 2008
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California               TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York             DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California
BRIAN HIGGINS, New York              KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina
    Columbia                         BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota            BILL SALI, Idaho
JIM COOPER, Tennessee                JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
CHRISTOPHER S. MURPHY, Connecticut   TODD RUSSELL PLATTS, Pennsylvania,
PETER WELCH, Vermont                 JOHN J. DUNCAN, Jr., Tennessee
CAROLYN B. MALONEY, New York
                    Michael McCarthy, Staff Director

                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 7, 2007.....................................     1
Statement of:
    Bond, Phil, president and CEO, Information Technology 
      Association of America; Paul Kurtz, partner and chief 
      operating officer, Good Harbor Consulting, LLC; John W. 
      Carlson, executive director, Financial Services Roundtable/
      BITS; and James Andrew Lewis, director and senior fellow, 
      Technology and Public Policy Program, Center for Strategic 
      and International Studies..................................    84
        Bond, Phil...............................................    84
        Carlson, John W..........................................   109
        Kurtz, Paul..............................................   100
        Lewis, James Andrew......................................   132
    Evans, Karen S., Administrator, Office of E-Government and 
      Information Technology, Office of Management and Budget; 
      Gregory C. Wilshusen, Director, Information Security 
      Issues, Government Accountability Office; and Vance Hitch, 
      Chief Information Officer, Department of Justice...........    10
        Evans, Karen S...........................................    10
        Hitch, Vance.............................................    56
        Wilshusen, Gregory C.....................................    21
Letters, statements, etc., submitted for the record by:
    Bond, Phil, president and CEO, Information Technology 
      Association of America, prepared statement of..............    86
    Carlson, John W., executive director, Financial Services 
      Roundtable/BITS, prepared statement of.....................   112
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     6
    Davis, Hon. Tom, a Representative in Congress from the State 
      of Virginia, prepared statement of.........................    69
    Evans, Karen S., Administrator, Office of E-Government and 
      Information Technology, Office of Management and Budget, 
      prepared statement of......................................    12
    Hitch, Vance, Chief Information Officer, Department of 
      Justice, prepared statement of.............................    57
    Kurtz, Paul, partner and chief operating officer, Good Harbor 
      Consulting, LLC, prepared statement of.....................   102
    Lewis, James Andrew, director and senior fellow, Technology 
      and Public Policy Program, Center for Strategic and 
      International Studies, prepared statement of...............   134
    Towns, Hon. Edolphus, a Representative in Congress from the 
      State of New York, prepared statement of...................     3
    Wilshusen, Gregory C., Director, Information Security Issues, 
      Government Accountability Office, prepared statement of....    23


                FEDERAL IT SECURITY: THE FUTURE OF FISMA

                              ----------                              


                         THURSDAY, JUNE 7, 2007

 House of Representatives, Subcommittee on 
  Information Policy, Census, and National 
  Archives, joint with the Subcommittee on 
  Government Management, Organization, and 
   Procurement, Committee on Oversight and 
                         Government Reform,
                                                    Washington, DC.
    The subcommittees met, pursuant to notice, at 2:13 p.m. in 
room 2154, Rayburn House Office Building, Hon. Edolpuhs Towns 
(chairman of the Subcommittee on Government Management, 
Organization and Procurement) and Hon. Wm. Lacy Clay (chairman 
of the Subcommittee on Information Policy, Census, and National 
Archives) presiding.
    Present: Representatives Towns, Clay, Hodes, Davis of 
Virginia, and Turner.
    Staff present from the Subcommittee on Information Policy, 
Census, and National Archives: Tony Haywood, staff director/
counsel; Adam C. Bordes, professional staff member; Jean Gosa, 
clerk; Nidia Salazar, staff assistant; Michelle Mitchell, 
legislative assistant for Congressman Wm. Lacy Clay; Leneal 
Scott, information systems manager, full committee; Charles 
Phillips, minority counsel; Victoria Proctor, minority senior 
professional staff member; Allyson Blandford, minority 
professional staff member; and Benjamin Chance, minority clerk.
    Staff present from the Subcommittee on Government 
Management, Organization, and Procurement: Michael McCarthy, 
staff director; Velvet Johnson, counsel; and LaKeshia Myers, 
editor/staff assistant.
    Mr. Towns. The subcommittee will come to order.
    Today's hearing is a joint hearing of two subcommittees of 
the House Oversight and Government Reform Committee on the 
important topic of Federal information security. We have both 
the Subcommittee on Government Management, which I chair, and 
the Subcommittee on Information Policy, led by my friend from 
St. Louis, Chairman Clay.
    We are holding this hearing jointly because computer 
security presents challenges both of management and of 
information policy, privacy in particular. I will briefly 
discuss some of the management issues that I see, and then I 
will yield to Chairman Clay for his opening remarks.
    The security of our technology has gotten a lot more 
attention in the past 2 years, mainly because of the serious 
breaches of security that have come to light. The most obvious 
example, of course, was the loss of a laptop computer 
containing sensitive personal data on millions of our Nation's 
veterans. Fortunately, that computer was recovered and the data 
was not accessed. But the episode served as a real wake-up call 
about how quickly and easily security can break down. Our 
committees' investigations learned that similar security 
breakdowns had occurred in every Government agency we surveyed.
    These security issues are on the minds of American 
citizens. I hear from my constituents that they are worried 
about identity theft and privacy and want to know what is being 
done to keep their personal data safe from hackers and other 
criminals.
    It has been 5 years now since Congress passed the Federal 
Information Security Management Act. This law has done a lot to 
create standards and accountability for our computer security, 
but, given our findings that security breaches are still far 
too common, we want to ask today what the next steps should be. 
What works. We would like to get that information. And what 
does not work? What are some new approaches we should try?
    From a management point of view, there are a few specific 
issues I hope our witnesses can address. First, we need to know 
if complying with FISMA makes computer systems secure in the 
real world, or whether there are other factors to measure and 
require that would increase actual security.
    No. 2: how can the Government move away from patching 
together security for different equipment after the fact and 
move toward buying equipment and systems with security already 
built in?
    And the third: what lessons can we learn from the private 
sector on how to make systems more secure? Of course, the 
private sector has its own security problems, and we all 
recognize that, so we should look at what mistakes they are 
making, in addition to what they are doing right.
    Thank you to all of witnesses that are here today. We in 
Congress will benefit from your advice as we consider what new 
legislation is needed to improve computer security.
    [The prepared statement of Hon. Edolphus Towns follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.001
    
    [GRAPHIC] [TIFF OMITTED] T9025.002
    
    Mr. Towns. At this time I would like to yield to the Chair 
of the other subcommittee that is sponsoring this hearing 
today, Congressman Clay.
    Mr. Clay. Thank you so much, Chairman Towns, especially for 
agreeing to host this joint committee with the Information 
Policy Subcommittee.
    Let me start out by saying good afternoon. I join my good 
friend and colleague, Chairman Towns, in welcoming everyone to 
today's joint hearing to evaluate the implementation of the 
Federal Information Security Management Act of 2002, widely 
known as FISMA.
    Today's hearing continues a bipartisan effort to evaluate 
progress under FISMA and find ways to improve our Government 
information security for the benefit of all Americans. 
Weaknesses in Federal information security threaten the 
operation of Federal programs and the privacy of individuals 
whose personal information is maintained in Government computer 
systems. Congress passed FISMA to require Federal agencies to 
adopt stronger measures to identify and minimize potential 
risks to the security of information and information systems.
    Although important progress has been made, recent data 
breach incidents involving the Department of Veterans Affairs, 
the Internal Revenue Service, and other agencies tells us that 
Government information systems remain vulnerable to hackers and 
security breaches.
    In its recent annual report to Congress on FISMA 
implementation efforts, the Office of Management and Budget 
states that progress in fiscal year 2006 was, at best, mixed. 
Some agencies have improved their performance under FISMA, but 
others, including the Department of Homeland Security and the 
State Department, continue to do a poor job of securing their 
network. Twenty-one out of 24 major agencies showed major 
weaknesses in their information security controls, and agency 
Inspectors General cite major flaws in the quality of agency 
certification and accreditation processes. Thus, it is clear 
that our current practices and policies need to be reviewed to 
see where improvements can be made.
    I thank all of our witnesses for appearing today and look 
forward to your testimony.
    Mr. Chairman, I yield back. Thank you.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.003
    
    [GRAPHIC] [TIFF OMITTED] T9025.004
    
    Mr. Towns. Thank you very much.
    I would now like to yield to Mr. Turner of Ohio for his 
opening statement. Thank you.
    Mr. Turner. Thank you, Chairman Towns and Chairman Clay, 
for holding this joint oversight hearing today on information 
technology security and the future of the Federal Information 
Security Management Act.
    Ranking Member Davis was the driving force behind the 
passage of FISMA as part of the E-Government Act in 2002. I 
commend his continued leadership on the issue of IT security in 
our Federal Government.
    Breaches in IT security are not only a threat to our 
national security, but pose a threat to private citizens' 
information. In fiscal year 2006, several agencies saw 
potential breaches in their IT security, including the VA, the 
Department of Transportation, the Department of Energy, the 
IRS, and the Department of State. According to a September 
2006, report in the Washington Post, more than 1,100 laptop 
computers have vanished from the Department of Commerce since 
2001, including nearly 250 from the Census Bureau containing 
such personal information as names, incomes, and security 
numbers.
    As a result of the work in the 109th Congress, the 
Subcommittee on Federalism and the Census' staff issued an 
interim report on the breach and Republican staff continues its 
investigation to this date.
    I also sit on the House Veterans Affairs Committee, and, as 
most of you know, in May of last year we dealt with a serious 
potential breach in the VA's IT systems when an employee's 
laptop was stolen from his residence. That laptop contained the 
Social Security numbers of 26.5 million of our Nation's 
veterans. While the laptop was recovered and the data therein 
was not compromised, this is an example of why oversight on 
this topic is important.
    Under then Chairman Buyer's leadership, the House Veterans' 
Affairs Committee held six hearings on the issue of cyber 
security in the VA, which culminated in the House passage of 
H.R. 5835, the Veterans' Identity and Credit Security Act of 
2006, which incorporate provisions from this committee.
    I look forward to reviewing the information that we receive 
from the witnesses today about FISMA's compliance, as well as a 
broad range of public and private sector IT security issues.
    Thank you.
    Mr. Towns. Thank you very much, Mr. Turner.
    Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman.
    I thank both Chairman Towns and Chairman Clay for holding 
this important hearing on Federal information technology 
security. I also appreciate the witnesses who are here today, 
and I look forward to your testimony on these issues.
    Congress passed FISMA in part to make sure that citizens' 
personal information was safe with its Federal Government. In 
addition to protection from identity theft, security systems 
also ensured that the American people are receiving the most 
efficient service possible from their Federal agencies. But the 
recent data leaks which have been mentioned, including at the 
Department of Veterans Affairs, Transportation, and Energy, as 
well as at the IRS, prove there are still serious flaws in the 
Federal Government's information defense system.
    The Office of Management and Budget recently released a 
report stating that there were over 5,000 security incidents 
within Federal agencies in fiscal year 2006, up 18 percent from 
the previous year.
    Reports of inadequate security controls at the Departments 
of Defense, Homeland Security, and State also raise concerns 
that protecting electronic data is also a significant threat to 
our national security.
    When it comes to information security, the old phrase 
``good enough for Government work'' does not apply.
    I hope that today's hearing will shed light on the 
challenges facing FISMA implementation and potential solutions 
to those issues.
    Thank you. I yield back my time, Mr. Chairman.
    Mr. Towns. Thank you very much.
    Now we will turn to the first panel. It is committee policy 
that all witnesses are sworn in, so please stand and raise your 
right hands.
    [Witnesses sworn.]
    Mr. Towns. Let the record reflect that they all responded 
in the affirmative. Thank you. You may be seated.
    Our first panel features the experts on information 
security in the Federal Government. Karen Evans is the 
Administrator of the Office of E-Government and Information 
Technology at the Office of Management and Budget. She is an 
experienced IT professional and leads the administration's 
programs on information security.
    Welcome to the committee.
    Also, we would like to welcome Mr. Wilshusen, who is the 
Director of Information Security Issues at the Government 
Accountability Office [GAO]. He is also a long-time expert on 
this topic and has testified before this committee several 
times.
    Welcome back.
    Vance Hitch is the Chief Information Officer at the 
Department of Justice. He manages Department information and 
technology programs with a budget of $2.4 billion--that is B as 
in Boy--and has more than 30 years of experience in managing 
Government IT projects.
    And let me note that your entire statement will be included 
in the record. If you could just summarize within a 5-minute 
period, we would certainly appreciate it, which will allow time 
for questions and answers.
    I know you know the procedure in terms of when the yellow 
light comes on that is caution, and when the red light comes 
on, that means we hope that you will stop.
    Ms. Evans, will you proceed?

   STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR, OFFICE OF E-
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND 
 BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY 
  ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; AND VANCE HITCH, 
        CHIEF INFORMATION OFFICER, DEPARTMENT OF JUSTICE

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Good afternoon, Chairman Towns, Chairman Clay, 
and members of the committee. Thank you for inviting me to 
discuss the status of the Federal Government's efforts to 
safeguard our information and information systems. My remarks 
today will focus on our strategy for addressing continuing 
challenges, securing and protecting the information of our 
citizens.
    OMB has taken a number of steps to improve information 
security and privacy through effective use of policy tools, our 
Government-wide management processes, and leveraging our 
requirements in the marketplace. Overall, Departments continue 
to improve their programs. The specific information has been 
included in the annual submission of the Federal Information 
Security Management Act Report to Congress and has been 
included in my written testimony today.
    In 2006, as noted, several agencies experienced high-
profile data security breaches involving personally 
identifiable information.
    I have also included in my written statement many of the 
activities the administration has also taken to date to address 
these issues.
    I would like to mention specific activities OMB is engaging 
now to move beyond compliance and to improve information 
security and privacy. Some of these initiatives include: the 
information technology security line of business, standard 
identification for Federal employees and contractors, the 
adoption of a common desktop security configuration, and 
Government-wide contracts for data encryption.
    Our most recent initiative is: focus on helping agencies to 
procure secure software and applications. For example, we 
recently completed a Government-wide contract through the GSA's 
smart buy initiative for anti-virus software, and we are 
nearing completion on another smart buy contract for Federal 
Information Processing Standards 140-2 certified encryption 
tools, which will include the ability for State and local 
governments to also purchase these tools at the Federal 
Government prices from this contract.
    We also have recently issued a memorandum requiring 
agencies to adopt common desktop security configurations for 
Windows XP and the Vista operating system, with a target 
completion date of February 1, 2008. The policy also requires 
secure configurations to be included in their agency 
procurements going forward from June 30, 2007.
    We are leveraging the work that has been completed 
collectively and cooperatively by Microsoft, the National 
Institute of Standards and Technology, Department of Homeland 
Security, and the Department of Defense. OMB has now provided 
the recommended language for the agencies to use when they are 
issuing new acquisitions.
    The administration takes its information security and 
privacy responsibilities very seriously. These actions will 
help reduce the security incidents we have been experiencing, 
permit us to better respond when prevention fails, and provide 
us a more complete and timely view of agency performance.
    Agencies spend more than $6 billion a year on controls to 
protect information and computer systems, and we will continue, 
trough our oversight and the President's management agenda 
scorecard process, to ensure that this money is wisely spent.
    Finally, the administration intends to continue to focus on 
protecting the personal information of our citizens, while 
improving our services. An information security program, when 
implemented correctly, results in protection of all 
information, including personal information.
    I look forward to working with you to improve our security 
and our privacy programs and welcome any suggestions you may 
have. I would be happy to take questions when appropriate.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.005
    
    [GRAPHIC] [TIFF OMITTED] T9025.006
    
    [GRAPHIC] [TIFF OMITTED] T9025.007
    
    [GRAPHIC] [TIFF OMITTED] T9025.008
    
    [GRAPHIC] [TIFF OMITTED] T9025.009
    
    [GRAPHIC] [TIFF OMITTED] T9025.010
    
    [GRAPHIC] [TIFF OMITTED] T9025.011
    
    [GRAPHIC] [TIFF OMITTED] T9025.012
    
    [GRAPHIC] [TIFF OMITTED] T9025.013
    
    Mr. Towns. Thank you very much.
    Mr. Wilshusen.

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Chairman Towns, Chairman Clay, members of 
the subcommittee, thank you for inviting me to testify at 
today's hearing on information security in the Federal 
Government.
    For many years GAO has identified weaknesses in information 
security as a Government-wide, high-risk issue with potentially 
devastating consequences, such as intrusions by malicious 
users, compromised networks, and the theft of personal 
identifiable information. Over the past year or so, we have 
seen many of these consequences become reality.
    Recently reporting information security incidents at 
Federal agencies have placed sensitive data at risk, including 
the theft, loss, or improper disclosure of personally 
identifiable information on millions of Americans, thereby 
exposing them to a loss of privacy and the potential harm 
associated with identity theft. The wide range of these 
incidents underscores the need for improved security practices.
    Today I will discuss the weaknesses that persist in 
information security controls at Federal agencies, progress 
that the agencies have made in implementing FISMA, and 
opportunities to enhance the usefulness of the annual FISMA 
reports and independent evaluations.
    Mr. Chairman, serious weaknesses continue to threaten the 
confidentiality, integrity, and availability of Federal systems 
and information. Almost all major agencies were cited by GAO or 
their Inspectors General or independent auditors for 
significant control deficiencies.
    For example, 22 of the 24 agencies did not have adequate 
access controls in place to ensure that only authorized 
individuals could view, access, or manipulate data.
    Even basic controls were sometimes inconsistently 
implemented. For example, well-known vendor supply passwords 
were not changed. Users were granted access privileges that 
exceeded their need. Network devices and services were not 
securely configured. Sensitive information was not encrypted, 
and audit logs were not adequately maintained.
    Agencies also lack effective physical security controls. 
For instance, many of the data losses that occurred at Federal 
agencies were a result of physical thefts or improper 
safeguarding of laptops or other portable devices.
    An underlying cause for these weaknesses is that agencies 
have not fully or effectively implemented the information 
security programs required by FISMA. As a result, agencies may 
not have the assurance that controls are in place and operating 
as intended to protect their information systems, thereby 
leaving them vulnerable to disruption, attack, or compromise.
    Nevertheless, Federal agencies report steady progress in 
implementing FISMA control activities. For example, in fiscal 
year 2006 the number of major agencies that now have a 
substantially complete inventory increased from 13 to 18, and 
the number of percentages of Federal systems Government-wide 
that have been certified and accredited, tested and evaluated, 
and have tested contingency plans all increased. The percentage 
of Federal employees and contractors who received security 
awareness increased from 81 to 90 percent, while the percentage 
of employees with significant security responsibilities who 
received specialized training also increased. However, IGs at 
several agencies sometimes disagreed with the agency-reported 
information and identified weaknesses in the processes used to 
implement some of these activities.
    OMB has taken steps to improve the security of Federal 
information by recommending agencies encrypt all sensitive 
information on mobile computers and devices and requiring 
agencies to adopt common security configurations for Windows XP 
and Vista operating systems. If effectively implemented, these 
steps could strengthen agencies' controls over sensitive 
information.
    Opportunities exist for enhanced FISMA reporting. Most of 
the performance metrics used for FISMA reporting measure the 
extent to which a control has been implemented. However, with 
two exceptions they don't address the effectiveness of the 
control. Additional information on control effectiveness or the 
quality of processes used to implement the controls would help 
agencies, OMB, and the Congress to better ascertain the state 
of Federal information security.
    Improvements should also be made to the independent annual 
evaluations performed by the IGs. The IGs lacked a common 
approach and used varying scopes and methodologies for 
performing the evaluations, making comparisons across agencies 
over time less meaningful.
    The President's Council on Integrity and Efficiency has 
developed a framework which might provide a more consistent 
approach for the evaluations.
    In summary, Federal systems and information remain at risk, 
despite reported progress in implementing required information 
security controls.
    Mr. Chairman, this concludes my opening statement. I will 
be happy to answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.014
    
    [GRAPHIC] [TIFF OMITTED] T9025.015
    
    [GRAPHIC] [TIFF OMITTED] T9025.016
    
    [GRAPHIC] [TIFF OMITTED] T9025.017
    
    [GRAPHIC] [TIFF OMITTED] T9025.018
    
    [GRAPHIC] [TIFF OMITTED] T9025.019
    
    [GRAPHIC] [TIFF OMITTED] T9025.020
    
    [GRAPHIC] [TIFF OMITTED] T9025.021
    
    [GRAPHIC] [TIFF OMITTED] T9025.022
    
    [GRAPHIC] [TIFF OMITTED] T9025.023
    
    [GRAPHIC] [TIFF OMITTED] T9025.024
    
    [GRAPHIC] [TIFF OMITTED] T9025.025
    
    [GRAPHIC] [TIFF OMITTED] T9025.026
    
    [GRAPHIC] [TIFF OMITTED] T9025.027
    
    [GRAPHIC] [TIFF OMITTED] T9025.028
    
    [GRAPHIC] [TIFF OMITTED] T9025.029
    
    [GRAPHIC] [TIFF OMITTED] T9025.030
    
    [GRAPHIC] [TIFF OMITTED] T9025.031
    
    [GRAPHIC] [TIFF OMITTED] T9025.032
    
    [GRAPHIC] [TIFF OMITTED] T9025.033
    
    [GRAPHIC] [TIFF OMITTED] T9025.034
    
    [GRAPHIC] [TIFF OMITTED] T9025.035
    
    [GRAPHIC] [TIFF OMITTED] T9025.036
    
    [GRAPHIC] [TIFF OMITTED] T9025.037
    
    [GRAPHIC] [TIFF OMITTED] T9025.038
    
    [GRAPHIC] [TIFF OMITTED] T9025.039
    
    [GRAPHIC] [TIFF OMITTED] T9025.040
    
    [GRAPHIC] [TIFF OMITTED] T9025.041
    
    [GRAPHIC] [TIFF OMITTED] T9025.042
    
    [GRAPHIC] [TIFF OMITTED] T9025.043
    
    [GRAPHIC] [TIFF OMITTED] T9025.044
    
    [GRAPHIC] [TIFF OMITTED] T9025.045
    
    Mr. Towns. Thank you very much.
    Mr. Hitch.

                    STATEMENT OF VANCE HITCH

    Mr. Hitch. Good afternoon and thank you, Mr. Chairman and 
members of the committee, for the invitation to speak to you 
today.
    As the Chief Information Officer for the Department of 
Justice, I am proud to discuss the accomplishments of the 
Department in the area of information security and FISMA 
compliance during my 5 years of service at the Department.
    Your Honor has asked me to discuss DOJ's efforts to comply 
with FISMA and the role the CIO Council plays in addressing 
Government-wide security challenges.
    In my role as the CIO, I develop IT security policies, 
procedures, and tools, and then coordinate their implementation 
across many components. However, there are aspects of IT 
security which are not covered by FISMA, and I try to play the 
role of both mentor and facilitator to help our components 
balance mission-specific defensive security along with 
compliance-related security.
    My testimony today will cover both what the Department does 
to ensure compliance and what we do to improve our defensive 
security posture across all of our 40 components within the 
Department of Justice.
    DOJ has received a grade of A-minus for FISMA compliance, 
and we are very proud of this accomplishment. The majority of 
work, and therefore the credit, belongs to the many information 
technology specialists supporting over 200 FISMA reportable 
systems that we have. However, we at DOJ want to go beyond 
compliance and to support our components with mission-specific 
defensive security.
    Today's world of cyber attacks has changed. A denial of 
service attack is no longer viewed as a significant 
accomplishment in the hacker community. Hackers now have more 
ambitious goals, such as placing explodable code on computers, 
or key-logging, to capture user-entered information. Many of 
the attacks come from foreign countries and criminal 
enterprises both here and abroad.
    When I first became the CIO at DOJ, DOJ had a small 
security group within our policy office. One of my first 
organizational changes was to introduce a corporate level chief 
information security officer and to set up an IT security 
office. Our initial efforts focused on establishing a basic 
security program and developing a means to track and report 
progress back to OMB.
    An obvious initial need was to bring on good people with a 
background in IT security. We hired from other agencies and 
also recruited people from the private sector. We also utilized 
the National Science Foundation's Cyber Corps program and have 
continued to hire personnel from this valuable initiative.
    Once we had the right people on board, our next focus was 
to increase awareness and training. Our security staff updated 
and improved our system inventory and enhanced our policies 
relating to certification and accreditation and patch 
management. Once these basics were in place, we pushed 
ourselves to improve our efficiency and effectiveness. Included 
in this effort was the new standardized method for all 
components to report incidents to a centralized DOJ computer 
emergency readiness team, which then had the responsibility of 
coordinating with the US-CERT. Our security team worked with 
the components to choose Department-wide tools for scanning and 
logging events across the networks.
    Another key component of this phase was reaching on a 
standardized desktop and laptop configuration for our 
Department-wide office automation program. This move not only 
improved our IT security, but also better leverages our 
significant buying power.
    As the Department moves forward, we are heavily influenced 
by the very significant and numerous losses of PII--personally 
identifiable information--that have occurred in both the 
Government and the private sector. DOJ is addressing the 
protection of PII by modifying our policies related to laptops, 
thumb drives, and other IT tools.
    In future efforts, we will be focusing on operationalizing 
the policies and processes included in the new systems or in 
updates that we make to existing systems. Most importantly, we 
want to move beyond FISMA's identification of vulnerabilities 
to confirming the completion of security corrective actions.
    We intend to insert new language in our life cycle 
development policies and our new contracts and into our C&A 
business processes. We are planning to implement a Justice 
security operations center by building off the work already 
done by the FBI. This JSOC will house the CERT team and will 
also house the security engineering staff to support the 
components in both emergency and non-emergency tasks. This will 
give us improved situational awareness.
    The CIO Council is an outstanding group of individuals who 
meet to discuss a wide range of issues affecting the entire 
Government IT community. It is a great forum to further 
understand different perspectives on pending policies or 
legislation.
    The Council also endorsed the idea of an IT security line 
of business, and recently DOJ was selected by OMB to run an 
information security line of business.
    The long-term success of the IT security program at DOJ 
depends on much more than achieving a high FISMA grade. We are 
shifting our focus to defending our missions, which is more 
than just the systems. It is important to remember that 
security is a balance of mission, threat, vulnerability, cost, 
and compliance.
    My customers in law enforcement, our attorneys and our 
correctional officers, expect reliable and secure collaboration 
capabilities. As we build new systems and upgrade our older 
systems, security is a crucial piece of the solution.
    I encourage Congress to continue to support its Government-
wide efforts such as US-CERT, the CIO Council, and Cyber Corps, 
which enriched our capabilities by bringing talented people 
together to share information and solutions.
    The fight is an ever-changing fight, and we all must stay 
focused on the new threats and the new vulnerabilities.
    Thank you for your time this afternoon. I will be very 
happy to answer any questions you may have.
    [The prepared statement of Mr. Hitch follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.046
    
    [GRAPHIC] [TIFF OMITTED] T9025.047
    
    [GRAPHIC] [TIFF OMITTED] T9025.048
    
    [GRAPHIC] [TIFF OMITTED] T9025.049
    
    [GRAPHIC] [TIFF OMITTED] T9025.050
    
    [GRAPHIC] [TIFF OMITTED] T9025.051
    
    [GRAPHIC] [TIFF OMITTED] T9025.052
    
    [GRAPHIC] [TIFF OMITTED] T9025.053
    
    [GRAPHIC] [TIFF OMITTED] T9025.054
    
    Mr. Towns. Thank you.
    Let me thank all three of you for your testimony. We will 
now move to the question period.
    I am the sponsor of a bill that would regulate spyware, 
which passed the House yesterday. The reason for the bill is 
the complaints I have about spyware, not just from consumers 
but also from large companies that have to deal with it. One 
computer manufacturer has said that problems related to spyware 
cause most of their customers' complaints. Another company has 
said that spyware accounts for about 50 percent of all tech 
support calls.
    Dealing with spyware is adding hundreds of millions of 
dollars in costs to companies. My question is: how much money 
and time do computer experts in the Government spend keeping 
spyware off Government computers?
    Let me just go right down the line with you, Ms. Evans.
    Ms. Evans. Mr. Towns, I can't answer the specific question 
as it relates to spyware, because that is one piece in a 
comprehensive program. What we do track from an OMB perspective 
and what we look at from a cost perspective is ensuring that 
they take proper precautions within each of the investments. So 
we are capturing the information of what agencies intend to 
spend and plan to spend on security, and it has been increasing 
every year.
    For the President's budget that was submitted that is 
currently under review now, the fiscal year 2008 budget, it is 
anticipated that included in that is $6 billion for the Federal 
Government as a whole to deal with information security/
information protection.
    Mr. Towns. Thank you.
    Mr. Wilshusen. And I also can't comment directly on the 
cost associated with searching for and cleansing systems from 
spyware. I can say that it is an issue and that often spyware 
is quite difficult to identify on a system, so it does take 
some effort to identify it and then to rid it from the system, 
and so there is a cost associated with time and resources to do 
that.
    Mr. Towns. Right.
    Mr. Hitch. Likewise, I can't comment on the specific cost, 
but I would agree with you that it is a very large problem, and 
just a general problem of bugs and whether they are malicious 
or inadvertent that are in the software that we all use are a 
huge problem. We spend a tremendous amount of money on what we 
call patch management, which is basically implementing patches 
that have been found to problems within the software that we 
all buy.
    So what I think part of the solution in the future is--and 
I know that OMB is very much active in this and I am working 
along with the CIO Council on a committee which is working on 
this problem right now--is to go back in the supply chain and 
to talk to the software vendors about their processes that they 
use to develop the software, making sure that they are rigorous 
and have certification or at least standards for them to meet 
before we buy their software.
    The other answer is to kind of put language in our 
contracts which ensure that we are protected from those kind of 
things and have penalties when we find something that is 
untoward.
    Mr. Towns. Thank you. Thank you very much.
    Mr. Wilshusen. And if I may add, sir, I would agree with 
that, because one of the critical causes for most of the 
weaknesses we identify, or many of the weaknesses we identify 
on our information security reviews is the fact that systems 
and operating systems are not configured securely, and that 
patches are not installed in a timely manner, and we are able 
to exploit those vulnerabilities in order to increase the level 
of access on a particular audit, and it is one of the root 
causes for many of the problems that Federal agencies face in 
implementing their security.
    Mr. Towns. All right.
    Let me ask you, and I guess we will start with you, Ms. 
Evans, do the FISMA reports measure results or just how 
effective the agency can complete the paperwork exercise?
    Ms. Evans. Mr. Chairman, this is a complicated question, 
and that is why I wanted to have my remarks, and I specifically 
said going beyond compliance. If an agency chooses to just 
comply, that they view it as a paperwork exercise and look at 
the metrics and the activities that we have, then it will 
generate reports and the agency will not be secure. They will 
not have good management practices in place. They may have good 
metrics that are reported in because they will have good 
numbers, and that is why it is critical that we are working 
with the Inspectors General to have the quality aspect be 
reviewed of those management processes.
    So what we are really trying to do is get beyond 
compliance. If you really just look at the letter of the law 
and look at what is there, you could generate an environment 
where the agency is just cranking out reports so that we can 
review those. That would not be representative of a secure 
program.
    But if it is properly implemented, the framework with it, 
and really focusing on the risk and the information that you 
have, and having the quality of your processes evaluated, then 
FISMA is measuring what a good program would have, and so that 
is why, through our oversight, we are working with the agencies 
so that we can move them beyond a compliance type of ``I have 
to get this report in to OMB and in to Congress,'' and really 
focus on the results of securing the information that they are 
collecting.
    Mr. Towns. Yes.
    Mr. Wilshusen. And if I may add, I would also say that I 
agree with what Ms. Evans has said in that if agencies are 
using this process as a paperwork exercise just in order to 
comply with the law, then they are missing the benefit that 
FISMA offers, because FISMA is based on sound information 
security principles, and the agencies should be more concerned 
about implementing the processes behind some of the metrics 
that are being used.
    As I mentioned in my opening remarks, many of the 
performance measures that are now being used to measure 
implementation of FISMA are based on merely implementing the 
control. It does not address or reflect the effectiveness of 
those controls. That is why I believe the metrics and the 
reporting procedure under FISMA should further address the 
effectiveness of controls that are being implemented, not just 
whether or not a control has been implemented.
    Mr. Towns. Right.
    We have been joined by the ranking member of the full 
committee, Mr. Davis of Virginia. At this time I would like to 
yield 5 minutes to the ranking member from Virginia, Mr. Davis.
    Mr. Davis of Virginia. Thank you very much. I ask my 
opening statement be put in the record.
    [The prepared statement of Hon. Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.056
    
    [GRAPHIC] [TIFF OMITTED] T9025.057
    
    [GRAPHIC] [TIFF OMITTED] T9025.058
    
    [GRAPHIC] [TIFF OMITTED] T9025.059
    
    [GRAPHIC] [TIFF OMITTED] T9025.060
    
    [GRAPHIC] [TIFF OMITTED] T9025.061
    
    [GRAPHIC] [TIFF OMITTED] T9025.062
    
    Mr. Davis of Virginia. I apologize I wasn't here earlier. I 
have a bill pending upstairs in another subcommittee. I am 
going to have to go back and forth.
    Ms. Evans, let me start with you. What changes or 
improvements is your office proposing for the 2007 FISMA 
guidance? Do you plan to issue new or updated guidance 
regarding Circular A-130?
    Ms. Evans. Right now the draft guidance is out for the 
agencies to review. We are open to consideration for changes 
that could occur in that. Pretty much right now we are holding 
them steady, but really looking to the effectiveness of the 
measures and the quality of the processes.
    Mr. Davis of Virginia. OK. Federal information security has 
been high on the GAO risk list for several years. What are you 
doing to address the areas of weakness that they have 
identified and that would remove the Government-wide 
information security from the list? How are we attacking this? 
And is there anything legislatively that we need to do to give 
you additional tools?
    Our biggest fear is that we pass these laws, we have annual 
report cards. Everybody's sitting here fat, dumb, happy. If you 
ask the average Member what FISMA is, they think it is a new 
cola or something. They are really not into this. But the 
minute you get something approaching a cyber Pearl Harbor or 
something everybody is going to be pointing fingers and saying 
what did you do about it. So I am asking: what are we doing 
about it at this point?
    Ms. Evans. Well, we are moving beyond compliance. Chairman 
Towns just asked the question about FISMA and the reporting and 
the metrics and are we just in a paperwork exercise or are we 
really achieving the results that were intended by the 
legislation going forward. I feel the legislation is sound. I 
know you introduced a modification which deals with breach, and 
that also obviously needs to be addressed as far as 
notification to citizens and entities. However, I really 
believe where we are at right now is in the execution of what 
was intended with the law. We have gotten the basic foundation 
in place, but we have to get agencies really focused on what is 
the result intended--having good, sound management practices in 
place, using the tools that we have.
    For example, with us spending $65 billion in information 
technology--and Mr. Hitch hit on this--we should be very 
demanding of the industry about what we need to have built into 
our applications, what the software should have, not making 
things that are more convenient for system administration types 
of activities and having those open so that is easier to 
maintain, but actually having that shut down where agencies 
have to make a conscious decision and balance that risk.
    So I really think that we need to improve the execution of 
what we are doing, what was intended by the law, and in that 
way you can get the quality and assess the quality.
    Mr. Davis of Virginia. Is there an issue as we ask our 
managers to do more and more, not just with FISMA but a whole 
variety of new jobs we give them, where we probably should be 
adding funding, or from an appropriations perspective are we 
doing enough to back this up, or are we just saying this is 
another box to check, we expect you, with your limited time, to 
just add this to the list, which forces a number of difficult 
choices.
    My experience has been managers are focused on 
accomplishing the mission. This is more cost avoidance, and it 
tends to be more check the box.
    Do we need to do a better job of funding it in certain 
areas, and are we getting the right input from Government to do 
that?
    Ms. Evans. Well, the way that our policy is set up, sir, is 
for agencies to really look at the services they are doing and 
then ensuring that security and privacy and the cost to 
maintain that is built into the investment up front. If an 
agency is in a compliance mode and they view FISMA and the 
reporting as a check mark exercise, then when something happens 
or the proper precautions aren't put in place it is always more 
costly to go back in afterward and fix things. So we really are 
viewing from our capital planning process, our budgeting 
process, how all of this is set up, that agencies really look 
at this in the beginning. It is one of many responsibilities 
that everyone has when you are going forward to provide a 
service for the citizen or internally for businesses or what 
you are doing.
    Mr. Davis of Virginia. I just want to get my last question 
in.
    Mr. Hitch, let me just ask you, does the OMB guidance allow 
for an accurate measurement of the status of an agency's IT 
security program? Are you getting appropriate guidance, do you 
think?
    Mr. Hitch. I have to say I give FISMA good grades overall. 
I think it has helped me through the years to give visibility 
to IT security, to make sure that management understands the 
criticality of it, and so forth, and gives me a little bit of 
backing when I go for funds and so forth.
    I do think the bar has gone up each year, and I think that 
is appropriate. I think the bar should continue to go up, 
because the general level of IT security in the Government is 
better.
    As I said in my opening statement, the direction that we 
are going--and I think that is the direction FISMA will go--is 
more operational aspects of making sure that we are 
implementing all the controls that we need to implement.
    I mentioned our security operations center. Situational 
awareness is the other thing. Right now we are aware when we 
have incidents, but the question is are we aware soon enough to 
minimize the risk, to minimize the impact of a specific 
incident, to tell other components within our organization that 
this situation has arisen, and to mitigate the overall impact 
of it. So we are going for situational awareness and we are 
going for making sure that we are addressing all of the items 
in our programs, is what we call it, the items where we found 
vulnerabilities, to fix them. Because one of the things that a 
C&A, which is measured by FISMA, makes you do is to create a 
program of action to milestones to say you are going to fix 
them, it leaves it to your judgment whether or not you are 
going to let the system continue to operate.
    What we have found is we are always aware. When an auditor 
points out that there is a problem in a system, we are always 
aware of it because we have done our homework and we have done 
these analyses and so forth, but we haven't fixed them all. We 
are fixing them in order of priority based on how significant 
they are, what we think the risk of them is. So we are going to 
really focus on trying to get those pro-ams down and get as 
many of the risks as we can accomplished.
    Mr. Clay [presiding]. Thank you. The gentleman from 
Virginia's time has expired.
    I recognize the gentleman from New Hampshire, Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman.
    As a recent Member of Congress, I am just beginning to get 
my hands around the dimensions of the issues that we are 
discussing here today, and the reports that you have provided 
and the testimony are very helpful, so I appreciate that.
    Has anybody done a study that would tell us or help us 
quantify the kind of dollar losses the Federal Government is 
suffering as a result of the issues that we are dealing with 
today in terms of lost productivity, lost time, lost hardware, 
lost software, what it is costing us on an annual basis to deal 
with security breaches and other problems that, if we were in a 
perfect world, we wouldn't have to deal with?
    Mr. Wilshusen. We have not done such a review and we have 
not been requested to do such a review, but we would be willing 
to work with you and your staff if you would like to have one 
done.
    Mr. Hodes. Because I noted someone testified that there was 
$6 billion annually being spent for controls over computer 
systems, and my guess would be that we are losing significantly 
more money than that in the Government for lack of compliance 
and lack of ability to meet all the goals that we are trying to 
meet.
    Mr. Wilshusen. The cost could be significant. I know with 
the VA theft of last year there was testimony that, at the time 
when the laptop had not been recovered, that the VA was 
considering providing credit monitoring and other services to 
the veterans. At some of the hearings they said it could cost 
anywhere from between, like, $30 to $100 per service member 
that was affected. When you multiply that by 26.5 million 
members, that is a big chunk of change.
    Mr. Hodes. I understand that, based on reports from the 
Inspectors General of each agency that were published during 
2006, only 19 of 25 agencies reported to have an effective 
strategy in place to remedy security weaknesses. I am hoping we 
are making improvements. But in order for these agencies to 
provide services, many agency information systems are 
interoperable.
    Am I correct in understanding that we really are dealing 
with the weakest link in the chain; that if one agency is 
deficient, then the entire system is really brought down to the 
level of that agency?
    Ms. Evans. Yes, sir, that is the simplest answer, that we 
are as strong as our weakest link. That is why we are taking 
steps beyond just the reporting and looking at the metrics, and 
things such as the standard desktop configuration and having 
that deployed across the entire Federal Government raises the 
bar, and then also reduces our time to patch so that it will 
raise the security overall. So these are execution steps now 
that we are in because of the exact situation that you just 
described.
    Mr. Hodes. Now, I would like to just think outside the box 
for a moment. Given where we are today and given the 
variability that I have heard in terms of how agencies are 
doing--and it sounds, Mr. Hitch, like the DOJ is doing a 
commendable job and that you have placed an enormous emphasis 
on doing what you need to do to bring things up to snuff in 
terms of your information, and I understand that the CIOs are 
meeting regularly. Is there a point person, one point person 
who is helping to manage the issues around information security 
and the compliance with FISMA that we have, or is it spread 
around the Government? And do we need some person to take 
control of this and help direct all these efforts, or is what 
we have in place adequate?
    Ms. Evans. Sir, I will take the first shot at that.
    Mr. Hodes. OK.
    Ms. Evans. I would say that the point person for the 
administration from a policy perspective and a coordination 
perspective is myself. The reason being is I am also the 
Director of the CIO Council. So I work directly with the 
Department of Homeland Security, which manages our US-CERT 
operation, and also does the operational aspects and has 
Government-wide looking across the board from an operational 
perspective.
    What we are doing from a budget perspective and then 
analyzing several tools that I have with, say, for example, the 
information security line of business and the infrastructure 
line of business, we are bringing those together so that we can 
think outside the box.
    For example, every agency has a network, and your example 
of the weakest link, is it necessary for every agency to 
maintain a presence on the Internet? If you don't have a strong 
enough staff to fully man it 24 by 7, be aware of it, like Mr. 
Hitch has described, maybe that agency should be getting some 
of its services and its expertise from another agency.
    We have identified across the board that information 
security professionals are a mission critical need within the 
Federal Government. We have identified how many we have 
onboard, how many we need to have across the Federal 
Government, and we are managing and leveraging those resources 
all the way across from people to the actual hardware and 
services that we procure. So my office puts together the 
policies and then analyzes the investments and the requests 
that come in and then make a recommendation so that the 
President's budget will reflect those policies and then the 
agency's ability to implement those.
    Mr. Hodes. And, No. 1, do you have enough resources? And I 
always hear in all these committee hearings, no, we never have 
enough resources, but you may. And, No. 2, is there any 
legislation that we need to pass to make FISMA work better and 
address this issue?
    Ms. Evans. Well, the President's budget, sir, reflects his 
priorities accordingly, and so the agencies then budget for 
this, and that would be in there as the risk-based approach as 
they go forward. I would say we have the resources that we 
need, $65 billion, $6 billion in this area is a lot of money 
that is being spent, so we need to use it appropriately.
    I have really looked at the FISMA legislation and I really 
feel that the tenets, the principles, the things that are there 
are the right framework, and Congress had it right when they 
passed it. What we really have to look at is the agencies' 
execution, and looking at the guidance that we are providing 
from this, looking at the policies of how we have interpreted 
some of that legislation, and work with you to enhance those so 
that we can get to the results that were intended.
    Mr. Hodes. Thank you very much. Thank you, Mr. Chairman.
    Mr. Clay. Thank you.
    Let me ask Ms. Evans, does OMB require agencies to 
specifically account for information security in agency IT 
acquisition plans through the Circular A-11 processes?
    Ms. Evans. Yes, sir, they are supposed to. Mr. Chairman, 
they are supposed to address those in the major business cases. 
That is part of what is evaluated when they send what we call 
an exhibit 300. That is looked at in conjunction with the 
annual reports that the agencies do that we get from FISMA and 
from the IG's review, so we look at all of that information 
across the board when we are analyzing what the agencies are 
asking for and how they are planning to spend their money.
    Mr. Clay. And do you think that they are spending it in a 
way that protects taxpayers' investments and that is the best 
use of that money, or is it patchwork throughout the 
Government?
    Ms. Evans. I would say that the agencies are really 
attempting to do the best that they can. What we have the 
opportunity from my level is to look across the board, and so 
things such as--and I am going to go back on a Government-wide 
contract for data encryption. We can see that all agencies are 
requesting that. We put out the policy that agencies should 
have that. We are following up from things that are already 
there.
    What we can do from my office, in conjunction with the 
General Services Administration, is give stronger guidance to 
the agencies and say we will use and leverage all our buying 
power over here. So things like getting a Government-wide 
contract, and then also extending it out to State and local 
governments, because they have the same issues that we do.
    Looking at things like the Microsoft configuration, 
agencies are spending a lot on operations because you have to 
patch. So if we raise that and we built that into the 
procurement, so now you can centrally manage patching and you 
can distribute it faster, you can reduce some of the resources 
that you are spending on these daily operations and move them 
more into mission-specific types of activities like Mr. Hitch 
was talking about earlier.
    Mr. Clay. Yes. Mr. Hitch, did you have something to add?
    Mr. Hitch. Well, I would just add, what Ms. Evans was 
talking about was at the OMB level when you submit a 300 on a 
system. You have to kind of check off a box and basically say 
that you are aware of the importance of IT security and you 
have in your investment enough money to cover IT security when 
you do this.
    Down at the Department level, at DOJ, we have something 
called the DIRG, the departmental IT--or the U-Board. In that 
process you look at all of these projects as they are coming 
along, right from the very inception when they are first 
brought up and when requirements are done all the way through 
the contracting process through implementation. We, likewise, 
check IT security as part of our overall review at each 
checkpoint. We check it at the budget process checkpoint and 
then we check it at the implementation checkpoint.
    So through our processes I am trying to make sure that we 
are actually implementing IT security when we are actually 
building the systems.
    I would like to pick up on a point that was made earlier, 
however, and that is a lot of the answer has to be a balanced 
approach of dealing with the systems we have now and making 
reasonable and intelligent choices as to what we are going to 
fix about those systems and the vulnerabilities in those, and 
then getting it earlier into the pipeline as we are building 
new systems to make sure that we are preventing these same 
errors from happening and us having to deal with them 5 and 10 
years from now, because it is actually more costly to fix these 
vulnerabilities in their existing systems than it is to take 
the prudent steps necessary to prevent them from being in the 
systems that we are developing.
    So we have to go back in the system development pipeline as 
we are developing the systems, and also with the products that 
we are using in our systems that are coming from the private 
sector.
    Mr. Clay. OK. Let me ask Mr. Wilshusen, in your recent 
report on the information security controls at the FBI 
indicates that there are significant weaknesses throughout the 
agency's networks. Can you define what the major weaknesses 
are----
    Mr. Wilshusen. Sure.
    Mr. Clay [continuing]. And the necessary steps to correct 
the problems?
    Mr. Wilshusen. Right. We looked at a critical internal 
network at the FBI and we found that the FBI did not 
consistently configure their network servers and devices 
securely. We found that they did not identify and authenticate 
users in an appropriate manner or enforce the principle of 
least privilege when assigning authorizations to users. We also 
found that they did not apply strong encryption or log, audit, 
and monitor activity over the network appropriately. And, 
finally, we found that they did not patch their servers in a 
timely manner.
    All of this collectively increased the risk to insider 
vulnerability, so to the insider threat.
    Mr. Clay. Do you believe that agency procurement activities 
are adequately incorporating security into their IT budgets? Is 
there effective planning done by agencies during the front end 
of systems integration and development processes?
    Mr. Wilshusen. Do you mean generally or in this specific 
instance?
    Mr. Clay. Generally.
    Mr. Wilshusen. Generally I would say that is an area that 
needs improvement in that agencies do need to focus on 
identifying their security requirements up front, early in the 
development life cycle process, in order to assure that they 
are being addressed as the development process continues.
    Mr. Clay. How about in this particular case with the FBI?
    Mr. Wilshusen. In this particular case we found that these 
weaknesses I think were more of a matter of management 
attention or in terms of assuring that the controls were not 
implemented in a timely manner. For example, we found that to 
not have a complete inventory or current inventory of the 
network devices and/or identifying they had some issues with 
system interconnectivity issues, as well. In many cases, their 
testing and evaluation process was not very good because we 
identified vulnerabilities that they did not know about or 
identify during their test and evaluation processes on that 
network.
    Mr. Clay. OK. Thank you.
    Mr. Hitch, anything to add on that one?
    Mr. Hitch. Well, I would just add that I think when you 
actually do a specific review of any system you are going to 
find some vulnerabilities, and hopefully we have identified 
them and are at least aware of them and are about to have a 
plan to fix them or have at least made a temporary decision 
that, based on the overall risk and the other compensating 
controls, that we are willing to live with that, at least until 
we can get the money to fix that particular thing.
    Mr. Clay. Let me ask you to describe for us your work on 
the Federal CIO Council, specifically as it relates to cyber 
security and privacy issues. Are there specific activities on 
the way to address the widespread information security 
weaknesses at different agencies throughout the Government?
    Mr. Hitch. Yes. I think the CIO Council is a very useful 
group in terms of the activity they pursue, particularly to IT 
security. There is a Best Practices Committee within the 
Federal CIO Council that IT security is one of the items that 
is very high on their agenda. In fact, this year they are going 
to have a cyber security day, where all the agencies are going 
to participating in terms of coming in and, from a training 
standpoint, as well as demonstration and best practices 
standpoint, talking about finding out the best and latest in IT 
security.
    The Federal CIO Council, as I mentioned earlier, is also--
and I am the representative on a committee to look into the 
pipeline process, from where the software manufacturers are 
producing software that we then use, all the way up through its 
implementation and its disposal. After we are finished with it, 
what do we do with it to make sure that it doesn't create any 
residual risk after we are finished with the systems?
    So I think there are a number of initiatives that are 
happening on the Federal CIO Council that are very much aimed 
at IT security.
    Mr. Clay. Let me ask you to describe for us the flaws in 
your agency's oversight which led to the failure of the virtual 
file sharing program within the Trilogy modernization.
    Mr. Hitch. OK. The virtual case file situation happened a 
number of years ago and, in fact, I would have to say, in 
conjunction with Ms. Evans, I think I was a part of the process 
that led to the shutting down of that process, because we felt 
that it was flawed. The management was flawed and the contracts 
that were a key part of that process were flawed.
    Mr. Clay. The vendors?
    Mr. Hitch. The failure, yes.
    Mr. Clay. Yes.
    Mr. Hitch. And therefore we felt that continuing to work on 
that was throwing good money after bad, and so we actually shut 
it down. Those flaws were many. It was contracted improperly. 
The FBI did not have the appropriate management team in place 
and the skills that it kind of assumed through that contracting 
strategy in order to manage that contract. They, by definition, 
assumed a systems integration role and a project management 
role. So there were many issues with that, and that is why we 
shut it down. And when we are moving forward with a new 
generation, we have tried to address all of those issues.
    Mr. Clay. Let me thank this entire panel for their 
responses.
    We are in the process of voting now on the floor. I will 
dismiss this panel, and then when we come back we will 
temporarily recess while votes are occurring. When we come 
back, we will swear in panel two. Thank you all for being here 
today.
    We are temporarily in recess.
    [Recess.]
    Mr. Clay. The joint hearing will come to order.
    Let me thank Chairman Towns first, and I will now introduce 
our second panel of witnesses.
    Mr. Phillip J. Bond serves as the president and chief 
executive officer of the Information Technology Association of 
America, representing 325 leading software, Internet, 
telecommunications, electronic commerce, and systems 
integration companies. His previous Government service includes 
serving as an Under Secretary of the U.S. Department of 
Commerce and Chief of Staff to former Commerce Secretary Don 
Evans.
    Welcome, Mr. Bond.
    Mr. Paul Kurtz is a partner and COO of Good Harbor 
Consulting, LLC, and is a recognized cyber security and 
homeland security expert. He previously served in senior 
positions on the White House's National Security and Homeland 
Security Councils under Presidents Clinton and Bush, and as the 
executive director of the Cyber Security Industry Alliance.
    Welcome to the committee.
    Mr. John Carlson serves as the executive director of BITS, 
where he focuses on information and security issues, business 
continuity, planning, and outsourcing risk issues for BITS 
financial institution members. Prior to joining BITS he worked 
for 9 years at the Office of the Comptroller of the Currency in 
a variety of roles, including Acting Director, Deputy Director, 
and Senior Advisor of the Bank Technology Division.
    Thank you for being here, Mr. Carlson.
    Mr. James Andrew Lewis directs the Technology and Public 
Policy Program at the Johns Hopkins Center for Strategic and 
International Studies and is a senior fellow. Previously he was 
a career diplomat who worked on a range of national security 
issues, including several bilateral agreements on security and 
technology.
    Welcome to you also, Mr. Lewis.
    Gentlemen, welcome to all. It is the policy of the 
committee on Oversight and Government Reform to swear in all 
witnesses before they testify. Would all of you please stand 
and raise your right hands?
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that all of the witnesses 
answered in the affirmative.
    Each of you will have 5 minutes to make an opening 
statement. Your complete written testimony will be included in 
the hearing record. The yellow light indicates that it is time 
to sum up. The red light indicates your time has expired.
    Mr. Bond, we will begin with you.

    STATEMENTS OF PHIL BOND, PRESIDENT AND CEO, INFORMATION 
  TECHNOLOGY ASSOCIATION OF AMERICA; PAUL KURTZ, PARTNER AND 
 CHIEF OPERATING OFFICER, GOOD HARBOR CONSULTING, LLC; JOHN W. 
  CARLSON, EXECUTIVE DIRECTOR, FINANCIAL SERVICES ROUNDTABLE/
   BITS; AND JAMES ANDREW LEWIS, DIRECTOR AND SENIOR FELLOW, 
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND 
                     INTERNATIONAL STUDIES

                     STATEMENT OF PHIL BOND

    Mr. Bond. Thank you, Chairman Clay, and thank you to the 
subcommittees for this opportunity for ITAA to testify and talk 
about FISMA, an effort we have been involved in from the 
beginning, so commendations to the subcommittees.
    In our view, FISMA brought unprecedented and much needed 
attention to the information security challenges of the Federal 
Government. Importantly, too, the legislation recognized that 
to solve that challenge we needed the very best of the private 
sector involved in coming up with the solution. In part, that 
is because the dynamic nature of today's rapidly evolving 
threats demands innovation by the private sector and those who 
hold so much of the network in private hands. So as the threat 
evolves, so must FISMA implementation over time.
    We have been pleased to see the general trend that agencies 
are improving in this regard, but agree with the earlier 
statement from the gentleman from New Hampshire that it is not 
good enough for Government work. That is exactly right.
    We believe that measurement processes can be improved to 
yield better results, that we can emphasize preparedness versus 
after-the-fact response; in effect, that FISMA could be raised 
to another level, or FISMA 2.0, if you will.
    As providers of the information systems and security 
solutions, we will continue to help to the maximum extent 
possible.
    I would like to assure you that our members take very 
seriously their responsibilities in this regard in providing 
effective products and solutions to the Government. We see 
ourselves as partners in the mission.
    In turn, Government agencies should be encouraged to 
consider the very latest innovations from the private sector in 
this space. We have seen instances when compliance is used as 
an excuse, if you will, to discount the very latest in 
technology from the private sector.
    Very quickly, software as a service is a good example of 
this. Some of the assumptions in FISMA and the standards behind 
it cause those in the agencies who are looking at compliance to 
say that is new, that architecture isn't assumed here, and so I 
won't do that. We believe removing barriers to innovation is 
one of six recommendations I would make very quickly to the 
committee: Removing barriers to innovation for improvements in 
FISMA; reaffirming the agency information security program 
approval process feature to make sure that the plans aren't 
just on paper, but there are processes and resources behind 
them; third, to ensure that CIOs and chief information security 
officers are positioned appropriately, with necessary authority 
behind them. There may be some specific authorization and 
appropriation things we would want to talk about to make sure 
that they are positioned, authorized, and resourced.
    Fourth, to enhance Federal cyber risk management by 
requiring at least an annual risk assessment by the agencies 
that incorporates classified information and the latest from 
the private sector. We know that there are some agencies who 
are not equipped to receive classified briefings, and yet they 
must build risk assessments.
    Fifth, harmonize and enhance the audit and oversight. This 
was referenced earlier by the witnesses that the IGs in GAO 
need to come at this in a harmonized way. We support that, and 
perhaps NIST would be in a position to do some training in that 
regard.
    Sixth, to expand Federal cyber response capabilities and 
update FISMA, frankly, and its procedures to reflect the fact 
that the Department of Homeland Security has been created in 
the meantime, and its involvement with the US-CERT program.
    So we commend the committee. We believe Federal information 
security can be stronger, that we can have a FISMA 2.0, if you 
will, if we refine and improve the metrics--Ms. Evans 
referenced that a little bit, I think, focusing more on results 
than mere compliance--and embracing the partnership with the 
private sector.
    Thank you.
    [The prepared statement of Mr. Bond follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.063
    
    [GRAPHIC] [TIFF OMITTED] T9025.064
    
    [GRAPHIC] [TIFF OMITTED] T9025.065
    
    [GRAPHIC] [TIFF OMITTED] T9025.066
    
    [GRAPHIC] [TIFF OMITTED] T9025.067
    
    [GRAPHIC] [TIFF OMITTED] T9025.068
    
    [GRAPHIC] [TIFF OMITTED] T9025.069
    
    [GRAPHIC] [TIFF OMITTED] T9025.070
    
    [GRAPHIC] [TIFF OMITTED] T9025.071
    
    [GRAPHIC] [TIFF OMITTED] T9025.072
    
    [GRAPHIC] [TIFF OMITTED] T9025.073
    
    [GRAPHIC] [TIFF OMITTED] T9025.074
    
    [GRAPHIC] [TIFF OMITTED] T9025.075
    
    [GRAPHIC] [TIFF OMITTED] T9025.076
    
    Mr. Clay. Thank you so much for that testimony.
    Mr. Kurtz, you may proceed.

                    STATEMENT OF PAUL KURTZ

    Mr. Kurtz. Thank you, Chairman Clay. It is a pleasure to be 
here today. Thank you for the invitation.
    I am here today to talk about how certain information and 
security developments in the private sector will impact the 
future of FISMA and follow-on information security, guidance, 
and controls.
    As a start, I would note FISMA is a good step, a good first 
step, and a good foundation; however, current law and 
supporting implementation guidance must evolve if it is to be 
effective in light of new technology and continually emerging 
threats.
    My testimony today is divided into two parts: strengths and 
weaknesses associated with FISMA, as well as discussing changes 
in the private sector and how those will influence the 
evolution of FISMA and other Federal IT security measures in 
the coming year.
    First of all, the state of FISMA. Although there are flaws 
in its implementation, I would argue that the overall impact of 
FISMA has been positive.
    The strengths, transparencies: agencies must now show how 
their overall information security strategy and budget fit into 
the general mission and goals of an agency.
    Second, accountability: agencies must report on their 
progress toward improving information security by at least 
categorizing data based on risk and certifying systems. They 
also must test security controls and contingency plans and they 
must assign risk impact levels. Of course, now we have 
standards that have been put together by NIST, like 800-53, 
which at least establish a baseline.
    However, there are weaknesses. One, FISMA and supporting 
guidance do not provide an enterprise-wide assessment of risk. 
What is the overall risk associated with a given agent's IT 
security system? We have misleading scores. The scores measure 
not only whether agencies pursue compliance processes, but not 
whether IT systems are actually secure. In other words, there 
is perhaps a false sense of security associated with the 
scores.
    A lack of consequences for non-compliance: FISMA has no 
real enforcement capability outside of OMB being able to 
threaten to move money around.
    The inability to adapt to emerging technologies: in other 
words, we have new technologies that Mr. Bond has talked about 
that FISMA can't handle so well.
    Many of these concerns I would argue can be addressed by 
improving FISMA implementation guidance and do not necessarily 
require a change in the law; however, both committees' 
oversight and looking for reporting would be extremely helpful.
    There have been several developments in the private sector 
which I think should be highlighted here today.
    First of all, the private sector is empowering CIOs and 
CISOs. Mr. Bond talked about that. That is a very important 
development. But there is also the changing nature of IT. This 
is an incredibly important issue. We have a shifting paradigm 
from a client server environment where all of the applications 
are loaded on your computer, to one where we are building or 
using software and data that is stored offsite via the 
Internet. This is sometimes referred to as Web 2.0.
    Currently, FISMA guidance is skewed toward the client 
server environment, which means that some of the great 
efficiencies that are available through such things as software 
as a service are being passed by by the Federal Government 
because of perceived issues associated with FISMA compliance. 
Guidance needs to be updated sooner rather than later, as Mr. 
Bond has talked about, to ensure that agencies can take 
advantage of software as a service.
    Right now I can name several cases where agencies are, if 
you will, in a holding pattern because they don't think 
software as a service is going to work.
    Finally, I want to highlight the need to evolve to a more 
common international information security standard. FISMA is, 
if you will, the Government information security standard, and 
it is good, it is solid; but meanwhile the private sector is 
evolving toward a new standard, ISO 27001, which sounds a 
little technical but agencies and firms around the world are 
moving to this new standard. It would be good if FISMA could at 
least have some level of agreement with what is happening in 
the 27001 world. In other words, if I am compliant with 27001, 
this new revised standard, I can be deemed in compliance with 
FISMA. This would bring great efficiency to Federal agencies 
and reduce the cost for taxpayers, as well.
    I will conclude my remarks there.
    [The prepared statement of Mr. Kurtz follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.077
    
    [GRAPHIC] [TIFF OMITTED] T9025.078
    
    [GRAPHIC] [TIFF OMITTED] T9025.079
    
    [GRAPHIC] [TIFF OMITTED] T9025.080
    
    [GRAPHIC] [TIFF OMITTED] T9025.081
    
    [GRAPHIC] [TIFF OMITTED] T9025.082
    
    [GRAPHIC] [TIFF OMITTED] T9025.083
    
    Mr. Clay. Thank you so much, Mr. Kurtz, for those 
suggestions.
    Mr. Carlson, you may proceed.

                  STATEMENT OF JOHN W. CARLSON

    Mr. Carlson. Great. Thank you. Thank you for the 
opportunity to testify on information security practices within 
the financial services industry and how they may be of use to 
the Federal agencies in meeting the goals of FISMA.
    I am John Carlson. I am the executive director of BITS. We 
are a division of the Financial Services Roundtable focusing on 
technology and operations issues to promote best practices in a 
strong national financial infrastructure.
    I would like to briefly highlight the risk and threat 
environment faced by financial institutions today and our 
efforts, which could be applied to strengthen the Federal 
Government's information security programs.
    The cyber security threat environment is constantly 
evolving, and some risks are increasing. Phishing, cyber 
squatting, viruses, worms, and other forms of attack are 
endemic. Hackers are closing the window between the discovery 
of a software flaw and the exploitation of that flaw. Criminals 
are using social engineering to trick consumers into providing 
personal information that can facilitate fraud and identity 
theft. Highly publicized breaches, both public and private 
sector, end the resulting loss of the theft of personally 
identifiable information do undermine consumer confidence, and 
that leads to concern about identity theft, which remains high.
    In response to these threats, our members companies are 
constantly thinking about these risks and have developed 
numerous guides and other forms of collaboration to mitigate 
them. We have developed tools to secure better data, to respond 
more effectively to data breaches. For example, we developed a 
guide in conjunction with the American Bankers Association to 
help financial institutions respond to data breaches, which is 
in harmony, by the way, with the Graham-Leach-Bliley Act's 
information security safeguards rule, which provides a very 
helpful foundation for the financial services industry.
    In addition, we work with our member companies to respond 
to high-profile breaches, such as the TJX Company's breach 
several months ago.
    We have engaged also major software companies by outlining 
our sector's high security needs, even providing a lab to test 
software products against baseline security requirements and 
developing a practitioner's guide for patching software for 
complex information technology environments, in many cases very 
similar to Government in terms of the complexity and legacy 
systems.
    We have also developed a number of consumer education 
materials that help consumers secure their computers and avoid 
the lure of fraudsters.
    We have also looked at successful factors for security and 
awareness programs which financial institutions are required to 
provide to their employees, like Government agencies, as well.
    Efforts to make e-mail more secure and reliable could be 
helpful in reducing the amount of spam and malicious software 
that is transmitted through e-mail. We released a tool kit 
several months ago that recommends financial institutions and 
others adopt specific protocols designed to improve e-mail 
security. We think if Government adopted those we would go a 
long way in addressing some of the e-mail-related problems we 
are dealing with today.
    Our work in overseeing third-party surveillance providers 
could be helpful to Government agencies in procuring services 
and overseeing vendors. For example, the Financial Institutions 
Shared Assessments Program, which we launched in 2006, 
streamlines the service provider risk assessment process while 
raising the bar on security. We currently have 50 financial 
institutions, service providers, and assessment firms that are 
involved in this program.
    We are also looking presently at the issue of wireless 
technologies and some of the security risks that may result 
from those technologies, and assuring that we are addressing 
those risks adequately.
    We have also outlined a number of research and development 
funding priorities that we think, if the Government adopted, 
would be very helpful for our sector. These would include areas 
such as better Internet protocols, better enrollment and 
identity credential management, better understanding of insider 
fraud and threats, and better ways of measuring the return on 
investment of security technology.
    And perhaps most important to Congress is our work to 
assist victims of identity theft while at the same time helping 
law enforcement agencies investigate and prosecute identity 
theft crimes. The Identity Theft Assistance Center, another 
division of the Roundtable which BITS helped to establish 
several years ago, provides a free victim assistance service to 
customers of our member companies. Since it opened in 2004, it 
has helped 16,000 consumers restore their financial identity. 
Also, data supplied by ITAC with the consent of consumers is 
helping catch the individuals who commit these crimes.
    The financial service sector was the first sector to 
establish an Information Sharing and Analysis Center in the 
late 1990's, which continues to be a model for successful 
information sharing on cyber and physical threats. In addition, 
our sector established a Coordinating Council shortly after 9/
11 to provide a means of collaborating across the sector, with 
other sectors, and with the Departments of Homeland Security, 
Treasury Department, and others.
    Before I conclude, I want to remind the committee that 
financial institutions are heavily regulated and constantly 
supervised. Our financial regulators have issued numerous 
regulations and supervisory guidance on information security, 
with the Graham-Leach-Bliley safeguards rule as an important 
foundation. Efforts by regulatory agencies have had a positive 
impact on improving information security through a risk-based 
approach, which is very important.
    Government can help the industry and society in a number of 
ways in dealing with the threats we are dealing with today. A 
number that I would like to point out would be: implementing a 
Social Security verification program to reduce fraud and 
identity theft; issuing more secure Government credentials; and 
permitting financial institutions to transmit data to 
Government agencies like the IRS in encrypted format.
    In closing, secured information is an ongoing process that 
requires constant vigilance, ongoing enhancements to address 
new and emerging threats, in collaboration with partners. I 
believe our efforts can be helpful to Government agencies in 
complying with the goals of FISMA.
    Thank you for the opportunity.
    [The prepared statement of Mr. Carlson follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.084
    
    [GRAPHIC] [TIFF OMITTED] T9025.085
    
    [GRAPHIC] [TIFF OMITTED] T9025.086
    
    [GRAPHIC] [TIFF OMITTED] T9025.087
    
    [GRAPHIC] [TIFF OMITTED] T9025.088
    
    [GRAPHIC] [TIFF OMITTED] T9025.089
    
    [GRAPHIC] [TIFF OMITTED] T9025.090
    
    [GRAPHIC] [TIFF OMITTED] T9025.091
    
    [GRAPHIC] [TIFF OMITTED] T9025.092
    
    [GRAPHIC] [TIFF OMITTED] T9025.093
    
    [GRAPHIC] [TIFF OMITTED] T9025.094
    
    [GRAPHIC] [TIFF OMITTED] T9025.095
    
    [GRAPHIC] [TIFF OMITTED] T9025.096
    
    [GRAPHIC] [TIFF OMITTED] T9025.097
    
    [GRAPHIC] [TIFF OMITTED] T9025.098
    
    [GRAPHIC] [TIFF OMITTED] T9025.099
    
    [GRAPHIC] [TIFF OMITTED] T9025.100
    
    [GRAPHIC] [TIFF OMITTED] T9025.101
    
    [GRAPHIC] [TIFF OMITTED] T9025.102
    
    [GRAPHIC] [TIFF OMITTED] T9025.103
    
    Mr. Clay. Thank you so much, Mr. Carlson.
    Mr. Lewis, please proceed.

                STATEMENT OF JAMES ANDREW LEWIS

    Mr. Lewis. Thank you, Mr. Chairman. Thank you for this 
opportunity to testify.
    The committee is aware of the damage done to U.S. interests 
in national security by the successful penetrations of Federal 
networks we have seen in the last year or so. Much valuable 
information has been lost. We don't want to overstate the 
risks, but at the same time we don't want to ignore the damage.
    We should note that an agency's FISMA score is largely 
irrelevant to telling how well it is able to withstand these 
attacks.
    The growing sophistication of software tools available for 
cyber crime and espionage increases the risk to Federal 
systems. Recent events in Estonia, which is a small country 
attacked by unknown hackers, shows how we face probably a 
greater threat than we did when FISMA was enacted.
    We can draw some lessons from the Estonian experience. They 
responded calmly and rapidly to the attacks, but they are a 
small nation. The United States is larger and operates many 
more networks. That means in some ways we are a more difficult 
target, but at the same time we may not be as efficient in our 
response.
    The question of efficiency goes to the heart of FISMA. The 
U.S. Government operates hundreds of thousands of computers. We 
talk about an enterprise architecture, which means a 
corporation under a powerful CEO where all the business units 
are unified in their efforts, but I don't think this is 
possible for the Government. No single agency has control of 
the Federal networks.
    Congress passed FISMA to bolster network security within 
the Federal Government. FISMA provides a framework for security 
and mandates yearly audits. The intent behind FISMA was good, 
but an agency can get good marks in FISMA and still be 
vulnerable. This is despite much good work in recent years to 
improve security.
    We need to ask whether FISMA is still relevant. One way to 
answer this question is to look at the process. FISMA involves 
the production of reports. The reports certify whether certain 
standards are being met. These standards, if followed, may 
improve security or they may not. FISMA is a direct measurement 
of compliance with processes and an indirect measurement of 
security. If we asked agencies whether or not their networks 
were secure, as measured by penetrations or data loss rather 
than by whether they follow certain standards, their answers 
would produce more accurate results.
    Another way to look at FISMA is to ask how the technology 
has changed. The most important change, as you heard from Mr. 
Kurtz, lies in how the Internet is used. There are new Web 
applications. Federal agencies use some of these, such as 
wikis. Other applications, such as Web-based services, are not 
yet widely used, but because of their cost advantages they will 
be. Any re-examination of FISMA should update the act to allow 
for the evolution of technology.
    In my view, FISMA needs an overhaul. One way to do this 
would be to replace FISMA's emphasis on certification, with 
performance-based measures that focus on vulnerability to 
attack. Revising FISMA to focus on performance and to ask how 
many times a system was probed or penetrated, what the 
vulnerabilities were that allowed for a successful attack, and 
what steps were taken to rectify these vulnerabilities might be 
the single most important change that Congress could make.
    Another way to improve FISMA would be to link it to 
mandatory consequences. A successful attack or a low score 
should trigger a requirement for agencies to reprioritize and 
reallocate funding for information security.
    By itself, even a FISMA that worked perfectly would be 
insufficient to secure Federal systems. A revised FISMA has to 
be part of a larger strategy. The elements of this strategy 
should include: increased accountability and responsiveness by 
agency leadership; adequate funding; use of the acquisitions 
process; and increased emphasis on protecting information 
rather than networks.
    Using the Federal acquisitions process to encourage 
suppliers to make IT products more secure could be very 
beneficial. For example, the Government could give preference 
to commercial software made with industry best practices for 
security.
    I want to conclude by saying although there has been 
progress in recent years, better Federal organization would 
also help improve information security. We are better off than 
we were 10 years ago, but not all agencies have seen equal 
improvement. Despite FISMA, cyber security remains a low 
priority for many agencies. Much remains to be done.
    Let me tell you an encouraging story, though, to finish up, 
Mr. Chairman. We faced a similar challenge in the 1980's when 
the United States discovered that its communications over 
telephone networks were not secure. The United States began a 
program then to secure sensitive voice communications. Within a 
few years this program, which was implemented by the National 
Security Agency, had succeeded in securing communications. 
There are major differences, of course, between telephone 
networks and the Internet, but the lesson of identifying a 
problem, assigning its resolution to a competent agency, and 
moving aggressively with adequate funding to fix it offers a 
model for how to improve information security.
    My view is that, with better organization and strategies, 
we can make Federal information systems more secure, and an 
improved FISMA can play an important part of this effort.
    Thank you.
    [The prepared statement of Mr. Lewis follows:]

    [GRAPHIC] [TIFF OMITTED] T9025.104
    
    [GRAPHIC] [TIFF OMITTED] T9025.105
    
    [GRAPHIC] [TIFF OMITTED] T9025.106
    
    [GRAPHIC] [TIFF OMITTED] T9025.107
    
    [GRAPHIC] [TIFF OMITTED] T9025.108
    
    Mr. Clay. Thank you, Mr. Lewis, for your testimony.
    Chairman Towns has rejoined us, and I will go to Chairman 
Towns and recognize him for questions.
    Mr. Towns.
    Mr. Towns. Thank you very much. I really appreciate this 
hearing.
    One of the biggest weaknesses in security for the Federal 
Government has been the use of portable devices--laptops, 
computers, disks, USB drives, etc.--where the data goes out the 
door with the user, and the only protection is hoping that the 
user doesn't lose the device or have it stolen. In other words, 
basically it has been a human problem more than a technical 
problem.
    How does industry deal with that, Mr. Bond?
    Mr. Bond. I will take a first shot, and I am sure the 
financial services industry would have some, as well, Mr. 
Chairman. Thank you for the question.
    I think that one difference between the private sector and 
public sector in this regard is there is a deeper level of 
continuous assessment of where the network is extending, to 
which devices, a greater level of authentication within the 
leading companies and best practices to know which devices are 
connecting to their network, whom they belong to, are they 
authenticated.
    The Federal Government is beginning to move down that path 
with a number of efforts like HSPD-12 and others to be able to 
authenticate who is entering a building, much less who is using 
a PC, a thumb drive, or whatever. So it is a long road. I think 
there is much to learn from the private sector in this regard, 
and probably much to learn from the financial services industry 
to get to the level of continuous assessment and confidence 
that you need in such a large enterprise and such a large 
network.
    Mr. Carlson. I would also add to that. The nomenclature of 
information security, you always talk about it in terms of 
people, process, and technology, so all three of them are 
equally important in terms of how you secure information.
    Certainly in the financial services industry we have been a 
target of fraudsters to go after information, to hack into 
systems for financial gain. Our industry has really responded 
very aggressively over the past 10 years to tighten systems, to 
improve authentication, to encrypt more information, to mask 
data, to restrict the use of Social Security numbers in the 
verification process. So collectively those efforts are making 
good progress in terms of making it more difficult to access 
the information.
    There is also the human component of it, and that requires 
a lot of education on the part of employees, contractors, and 
consumers that are using the devices to access, say, their 
bank, or users that are accessing Government facilities, to 
make sure that they are doing the right thing in securing their 
portion of the chain.
    Mr. Lewis. If I could just add, Mr. Chairman, I do think 
this is, in some ways, a problem that our technological fixes 
for, this should not be a big deal. If you have better 
authentication, if you have better encryption, losing a laptop 
should not mean the loss of valuable information. That is sort 
of the normal practice in the high-tech industry, and we need 
to see the Government move more rapidly to adopt those 
practices.
    Mr. Kurtz. If I may add to what everybody has offered, I 
think, first and foremost, we do not want to have Federal 
employees and contractors tethered to their desks and not be 
able to be mobile with their devices, so laptops, the ability 
of Federal employees to be mobile and do work from all places 
is really important. And to the technical solutions, finally we 
have guidance from OMB as of last summer to encrypt it. We need 
to encrypt it at rest and in transit, and we should move down 
that road far more quickly than we have in the past. We also 
must increase authentication.
    As Mr. Bond said, we have HSPD-12, a directive to use 
greater authentication across Federal agencies and with 
contractors. Both of those areas should receive great priority.
    And, finally, unlike the private sector, there are not 
necessarily consequences for using a laptop. In the case of VA, 
the individual was ultimately dismissed, but a lot of laptops 
are lost and there really are no consequences for those who 
actually use them. In the private sector, obviously there could 
be consequences.
    Mr. Towns. Thank you very much.
    Let me ask, if we were to change FISMA, if we were to 
strengthen, what is the one thing that we need to do? I would 
like to go down the line on it. There are two things that you 
must say, feel free to do so, but how we might be able to 
strengthen it.
    Mr. Bond. I offered six when you weren't here, so I will 
pick my favorite.
    Mr. Towns. I am sorry.
    Mr. Bond. No, I appreciate your leadership on this, 
Chairman Towns, and appreciate your having the hearing.
    I guess if I had to pick one of those, though, I think I 
would say an annual risk assessment by the agencies that 
included classified information and input from the latest and 
greatest in the private sector. We know there are some agencies 
who either don't have the personnel, the communication 
facilities, or whatever, to receive even classified briefings 
to go into the risk assessment, and so we must be missing it. 
That is what I would say, No. 1.
    Mr. Towns. OK. Thank you.
    Mr. Kurtz. Most likely, close to what Mr. Lewis talked 
about, and that would be a requirement for annual vulnerability 
assessment, a real red team, against each Federal agency, where 
we are also getting reported on the number of attempted attacks 
and penetrations against an agency, as well as what they are 
doing to mitigate those problems. It really isn't a strong 
requirement to do that today.
    Mr. Towns. Yes.
    Mr. Carlson.
    Mr. Carlson. Yes. I would add I think it is important to 
make sure that the program the Government puts in place, 
whether it is at the agency level or across the board, has at 
its heart collaboration, that it supports it, that it 
encourages it within the organization, but also across the 
Government and with the private sector.
    I think there also needs to be a program that is very much 
risk-based and forward-focused. We can't be focused on solving 
yesterday's problems at the expense of not focusing on 
tomorrow's problems. And this space is moving so rapidly. 
Technology moves forward quickly. There is a tremendous amount 
of competition, and I think the best thing the Government can 
do can also be a driver for responsible practices by using its 
vast procurement power to purchase products that have high 
security standards, that are tested, that are going to meet the 
needs of the Government and the people that the Government is 
entrusted to protect. So using that procurement power could be 
very, very forceful in terms of driving the industry forward.
    Mr. Lewis. Good question. Thank you. I would say, following 
on Mr. Kurtz, performance base scores tied to mandatory action. 
Test the system. Don't tell me you complied with some standard. 
Test the system, and if you fail you are required to do 
something to fix that. That is what we need to do.
    Mr. Towns. Thank you very much. I yield back, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Chairman.
    Mr. Bond, a critical element of FISMA is for agencies to 
develop a risk assessment of their systems in order to develop 
or integrate effective security policies and applications for 
them. With this in mind, please characterize the vendors' roles 
and responsibilities in developing and implementing secure 
networks and applications throughout an agency. And isn't the 
mitigation of risk a shared duty or responsibility between both 
agency personnel and the vendor community?
    That is two questions.
    Mr. Bond. Yes. Thank you, and let me try to get there on 
both of them.
    I think absolutely that the leading contracting companies 
in this space feel that they share the mission, that this is a 
critical mission for the country, of which they are a part, and 
that they want to make sure the Federal Government succeeds as 
much as humanly possible. So I think it is very much a 
partnership.
    It is also a partnership because so much of the network--
and we heard testimony about you are only as good as your 
weakest link--so much of the network is in private sector 
hands, so this is de facto a private/public partnership.
    I think, in terms of the responsibilities, there is some 
work that needs to be done there to clarify that, even under 
FISMA, which assigned some responsibility to the head of the 
agency. How that plays out then at the contractor level, who 
has which responsibilities, is sometimes not as clear as it 
should be in the contracted relationships, so I think there is 
some work to be done there.
    Mr. Clay. Thank you for that.
    Mr. Kurtz, what remedies would you offer to NIST and OMB 
for providing stronger or more timely guidance? How can new 
guidance or security controls be added in a real time 
environment?
    Mr. Kurtz. Well, first of all I would, in large part, 
commend the work of OMB and NIST. I think NIST is 
internationally recognized for the work that it does, but at 
the same time the standards process is slow and methodical. So 
in that case I think OMB has a special responsibility to be, if 
you will, more agile and more responsive.
    I think Karen Evans has done an excellent job, but I also 
think we kind of learn the hard way. If we look at the 
directive to encrypt, the directive to authenticate, it was 
only after we had real problems.
    So I think annual guidance update that OMB carries out that 
Karen talked about earlier today is incredibly important, and 
that we ought to be used to continue to make sure the 
implementation of FISMA, the execution of FISMA is strong and 
to the point.
    The classic example I would give right now is the migration 
to Web-based applications, software as a service. Right now the 
Government is not in the right place on that. They are way 
behind the private sector. There is a huge migration underway, 
and FISMA and implementation of FISMA is not prepared for this 
migration. There are huge losses in efficiency and value to the 
Federal Government that are going on right now because we are 
not agile enough in updating that guidance so agencies can take 
advantage of it.
    Mr. Carlson. Pardon my lack of knowledge on that, but you 
and other witnesses have mentioned software as a----
    Mr. Kurtz. Software as a service.
    Mr. Clay. As a service. Explain what that is.
    Mr. Kurtz. I will take a shot, and then I will turn to 
others on the panel.
    Essentially, we lived in a world where you had software on 
your computers, applications that sat on your computers that 
you would pull up in order to create a Word document, Excel 
spreadsheet, or whatever it would be. Now we have software 
applications and data that is being stored offsite. So, just 
like you do online banking, it is much the same, where you are 
tapping in to software and data that is held elsewhere.
    The real value of, if you will, service on demand via 
subscription is that the Federal Government is no longer 
assuming those enormous costs of maintenance and upgrade. It 
is, if you will, the provider's job to take care of that. It is 
the provider's job to maintain the software, to upgrade it, and 
it is a fairly seamless process. Great efficiencies could be 
made available to the Federal Government if they were to pursue 
that.
    Phil, you may have a much better description than I.
    Mr. Clay. Mr. Bond, do you have anything to add? Did he 
pretty much describe it?
    Mr. Bond. Yes. I think you have probably pretty well got 
that. I think we, on this side, are sometimes guilty of geek 
speak, but it looks like you got it.
    Mr. Clay. I think I got it. Thank you for that.
    Mr. Lewis. Can I just add one thing on that, Mr. Chairman?
    Mr. Clay. Mr. Lewis, please, if you have something to add.
    Mr. Lewis. We actually use it at my work. We do our time 
and attendance and our payroll on it. We shifted. People were 
worried about security at first, and we have been doing it now 
for 4 or 5 years without a problem, so think about that. 
Instead of doing a time card and filling it in here we do it on 
the Internet. It goes to some company. I don't remember their 
name. They do it all for us.
    What we see in the press like the Wall Street Journal is 
this can bring savings of 20, 25, 30 percent, so it is 
significant.
    Mr. Clay. And Mr. Lewis, the company secures that data, 
that information for you?
    Mr. Lewis. Very much so, sir. We looked into it.
    Mr. Clay. Mr. Bond, do you have something to add?
    Mr. Bond. Yes. I would just add very quickly they secure 
the data as well as the transmission of it to make sure that it 
comes to you safely. While I agree with Mr. Kurtz that the 
Federal Government is behind on this and certainly NIST is well 
positioned to be between the private sector and Government to 
help understand how to process information in the future, I do 
want to note for the record the Department of State, Treasury, 
a number of State governments, county governments have deployed 
software as a service model, so it is being done, but I can't 
even say we have scratched the surface yet.
    Mr. Clay. But we ought to urge our Government to take a 
look at that. Thank you.
    Mr. Carlson, while FISMA offers us a good baseline of 
information to work with, there are significant concerns that 
we are not gathering better performance data from our networks 
in a real time environment. Has BITS or other industry efforts 
sought to develop better metrics or data gathering methods for 
its systems?
    Mr. Kurtz. We have a lot of discussion among experts within 
our member companies about how to manage information security 
related risks, so through those discussions we kind of coalesce 
around a number of different approaches that the industry finds 
useful and effective. Many of those have been published in some 
of the guides that we have put out, either as metrics tools or 
efforts to identify where there may be gaps in the program that 
an individual institution has in place.
    I would also add that our environment is a little bit 
different in that we also have regulators that constantly come 
in and do audits of financial institutions and determine 
whether or not those controls are adequate to meet the 
information security needs that the institution is dealing 
with. So there is almost like a double layer approach. 
Institutions do the risk analysis, develop the metrics, come up 
with the solutions that meet their risk-based environment, and 
then regulators come in and do an evaluation to see whether or 
not they are adequate.
    Mr. Clay. Thank you for that response.
    Mr. Lewis, we have all been reading about the recent cyber 
attacks in Estonia, which are primarily distributed denial of 
service attacks. There remains some uncertainty regarding the 
ultimate source of the attacks, which were delivered using 
botnets. Could you offer us some comment on, one, the ability 
of our agency systems to handle such an attack, and, two, the 
effectiveness of FISMA compliance as a means to develop some 
level of assurance that such attacks could be withstood?
    Mr. Lewis. Certainly, Mr. Chairman.
    Unfortunately, I think if you were to look at the Federal 
Government you would probably find that the ability of agencies 
to respond to this kind of attack would be very uneven. Some 
could do quite well. Others, as we known from recent events, 
would probably have real problems.
    Now, let me note that in Estonia, there were these attacks. 
They were massive. But the government IT people there were able 
to bring most services back online within a few days. So it was 
disruptive, but it didn't destroy Estonia or lead it to 
collapse.
    We would also not face collapse or some terrible outcome, 
but there would be disruption. We have seen that now. There are 
some agencies that were attacked a few months ago and are still 
having difficulty accessing the Internet, such as, I believe, 
the Department of Commerce.
    Where does FISMA fit into this? Right now it may not be as 
useful as we might like. FISMA measures how well people conduct 
certain certifications, how well they construct their systems, 
how well they document what they have done. But I am not sure 
how useful it is in measuring their ability to actually deal 
with an attack, so this would be an area where FISMA, although 
it is very beneficial, it focuses attention, it is an area 
where we could improve it.
    Mr. Clay. Thank you for that response.
    Mr. Carlson, one of the programs BITS has established is 
the BITS product certification program to test IT products 
against security criteria developed by the financial services 
sector. Please outline for us how this program works and 
whether there are components that could be adopted or 
recognized by the Federal Government for its systems.
    Mr. Carlson. Yes. The program was established about 8 years 
ago as an effort to try to provide a forum to signal to the 
software industry what are baseline security needs for the 
financial services industry. It evolved over time into a 
program in which the industry would lay out these baseline 
security requirements in a number of different areas and then 
provide a means in which a software company could come in and 
test, pass or fail, whether or not it met these baseline 
security requirements.
    We then made some modifications to it to be compatible with 
a common criteria program, which is a program that the NSA and 
NIST run, so that a company could go through both the common 
criteria program, the BITS product certification program.
    So there are many elements of it, and we have shared our 
work with DHS and others as a way to try to encourage the 
Government to apply this type of model, but to make sure the 
model is done in such a way that it is not too expensive, too 
labor intensive, and taking too long to complete. That has 
certainly been some of the complaints with the common criteria 
program, is that it does take tremendous amounts of time.
    So there is room for a program. I don't think we have hit 
the ball squarely in the right place in terms of our program, 
but we have certainly set out a program that is a beginning 
point that the Government could look at in trying to decide 
what is a program that is going to meet its needs in laying out 
the security needs for the Government.
    Mr. Clay. Do you think the Government has taken the 
security issue as seriously as they should have at this point?
    Mr. Carlson. I think there has been a lot of talk in terms 
of the importance of security. I think that it has been slow, 
much slower certainly than I would have anticipated in terms of 
how quickly the Government has jumped on to some of these 
ideas, certainly that we have proposed.
    I would note this committee had sponsored an effort several 
years ago, through Congressman Adam Putnam, to kind of bring 
together Government, private sector, and really to bring 
together the user community, which is the community I am most 
familiar with, and the producer community or the IT community, 
to try to bridge some of those gaps.
    I think we made a lot of progress. Paul Kurtz played a very 
important role in that effort, as well. But the Government was 
very slow in terms of picking up on these recommendations and 
really moving them forward.
    I think they have made progress, particularly in the last 
year, and I noted in my testimony a number of efforts that have 
been very positive in terms of Greg Garcia being placed as the 
Assistant Secretary at DHS, the work that the administration 
did on the Identity Theft Task Force and some of the 
recommendations that are in there, the work that Karen Evans 
and others have done at OMB in terms of strengthening 
Government security programs. So those are all steps in the 
right direction. But my personal opinion is that it has been 
much slower than I certainly would have anticipated a few years 
ago.
    Mr. Clay. Thank you for that response.
    Mr. Kurtz, in many of our sensitive or classified programs 
we use software and applications that have been certified under 
the National Information Assurance Partnership process. While 
not perfect, NIAP provides a greater level of software and 
application assurance for the program. If reducing the number 
of vulnerabilities in our system is a primary goal, shouldn't 
we utilize similar certification processes for all agency IT 
system needs? And others can take a stab at it.
    Mr. Kurtz. I would start with maybe a challenge to the 
premise that NIAP is strong. I think there are enormous issues 
with the National Information Assurance Partnership. There are 
terrible inefficiencies, terrible processes associated with 
that vendors must struggle to go through, and I don't think 
really at the end of the day agencies get an appreciable 
increase in security.
    That is not to say that the process does not yield some 
improved security on the part of the software or hardware that 
goes through the process, but I would not use it as a baseline.
    I think there are two points I would try to make. One is I 
think NIAP needs to be revisited. I think it needs a wholesale 
review. I know DHS and the Department of Defense engaged in a 
study of it 3 years ago. I don't think the report has ever seen 
the light of day. I think Congress should ask for it. I think 
they should push to make sure that there is a full-scale review 
of it. And I think we should take a broader view of what is the 
role of product or software certification in a networked world. 
It might be, in fact, not as much value as we might hope in 
that product certification. It is almost a topic for a separate 
hearing.
    You probably asked the wrong guy, because I am going off on 
it.
    Mr. Clay. Thank you.
    Does someone else want to take a stab at it?
    Mr. Bond. If I could just real quickly, to followup. And 
maybe there will be another hearing. But I think certification 
and accreditation was an important baseline, especially at the 
time FISMA was passed. But that is a slower boat, if you will, 
than the threat, and so you could theoretically be in some 
agency. Veterans have pointed out you can be 100 percent 
compliant in terms of your C&A score and still be very 
vulnerable.
    So I think Mr. Lewis testified earlier about really keeping 
our eye on what is the vulnerability. That is more important 
than your C&A score.
    Mr. Clay. I appreciate that.
    An open question for the entire panel. What would be the 
potential risks or rewards to the Federal Government if it 
required its vendors to provide more detailed information 
concerning the direct evaluation of testing of software code? 
Couldn't we simply choose the best products if we had this 
information?
    We can start with Mr. Bond.
    Mr. Bond. If I can, thank you very much. I think that, 
again, this is really a question largely about how rapidly the 
threat evolves. I think it is fair to say that the very best, 
most assured products could be vulnerable to an unforeseen 
threat, and the threat evolves rapidly, so assurance of 
products and sharing as much as you can without giving away 
some proprietary secret of your product, because it is a 
competitive market, and I think that is important. But again, 
you don't want to look in the rear-view mirror as the 
Government. The very best product today may be vulnerable to 
some new threat. So I don't want the committee to think that by 
simply saying make sure that you are as up to date as anybody 
in the marketplace today, because that may not matter tomorrow.
    Mr. Clay. It is like a moving target.
    Mr. Bond. It is.
    Mr. Clay. Thank you.
    Mr. Kurtz. Chairman Clay, your question may be focused on 
source code, the actual software source code?
    Mr. Clay. Yes.
    Mr. Kurtz. It is proper to take a look at this issue. I 
think the good news in this space is just in the past 3 or 4 
years a couple of things have happened. One is industry as a 
whole, the software industry, is getting far more serious about 
developing good standards of coding, and they are, in fact, 
seeking to work together to build better standards.
    But I think also, equally as important, as typical of the 
private sector and the free market, enterprises are realizing 
an opportunity, and they have several new companies out there 
that recognize the need for code review that can actually 
analyze code, look for vulnerabilities, and propose mitigation. 
There are probably five or six that I can name right off the 
top of my head.
    The bottom line of this is I want to think a little bit 
about mandating some sort of code meeting some spec, some 
certain level, given the nature of the threats that Mr. Bond 
has talked about, but I do think it is worthwhile thinking 
about encouraging the private sector to engage in source code 
review of some type to use those tools.
    I know in the banking and finance industry, because they 
have a lot of proprietary code, they are using these tools. 
Others are starting to use these tools. I think we are learning 
more with each passing day. It is a maturing industry.
    There is a move underway in Europe to potentially getting 
to regulating source code. Incredibly bad idea. Incredibly bad 
idea that would stymie innovation, stymie research, and good 
money going into developing new tools for more powerful and 
more secure code.
    Mr. Clay. Thank you for your opinion.
    Mr. Carlson.
    Mr. Carlson. I would add I think the question you really 
want to be asking is what are the incentives that the 
Government should put in place to encourage companies to 
produce the best quality products, in terms of how they are 
used. As Paul mentioned, my association had done a great deal 
of work several years ago to put a lot of pressure on the major 
software companies to make security of greater importance in 
the development of the products and services. And the industry 
has certainly responded a great deal and security has become 
much more of a competitive issue than it was several years ago, 
and that is a very positive step.
    But I think you ought to be careful in terms of going too 
deep in terms of the specific metrics that you are looking for, 
but really look for ways to create the incentives that are 
going to be the drivers for innovation and for companies to 
really develop these products and services, and then also to 
find ways that the companies can demonstrate to Government and 
to private industry how their products are secure, what are the 
factors that they will use in order to determine whether those 
products are secure. That would help to secure a certain aspect 
of the information security equation. It doesn't solve all the 
problems. It is not a simple solution, but it certainly is a 
positive step.
    Mr. Clay. Thank you, Mr. Carlson, for reframing the 
question.
    Mr. Lewis.
    Mr. Lewis. Can I add a little bit here? It is always fun to 
be the last one, and I will say that I agree with Paul that 
anything the Europeans do we should probably not do. But your 
question is really: would better software assurance be useful? 
And the answer is yes. It is, how can the Government push that? 
What are the incentives?
    You might want to think not so much about transparency in 
the test results or looking at the source code, which is kind 
of a waste of time, but some idea about what are the practices 
that companies follow that are paying a lot more attention to 
security, what are the best practices, and using the 
acquisitions process to drive that. That is where you have your 
real leverage in terms of incentives. So there is something of 
value there.
    Mr. Clay. Thank you so much.
    During this panel we have talked about different methods to 
reduce system vulnerabilities and identify the inherent flaws 
within IT systems, including the use of software code 
evaluation. I would like each of you to summarize whether you 
feel the Federal Government would be an appropriate venue for 
the development of a new certification model for the evaluation 
of IT products and software. Specifically, should a new 
evaluation tool be developed as a voluntary certification 
program for Federal vendors and agency CIOs to use as a 
benchmark, or seal of approval, in meeting an agency's security 
need? If successful and efficient, wouldn't this become a tool 
that could be widely adopted in the private sector as an 
alternative to common criteria?
    I will begin with you, Mr. Bond.
    Mr. Bond. My initial reaction is that the frustration I 
think we have all had with how slowly information security has 
moved across the Federal Government is some hint to how quickly 
they might be able to move to get to the certification that you 
are looking for, and that we would be better off relying on a 
faster-moving, more nimble private sector to figure out what is 
the best there, what is really working in the marketplace, and 
then quickly adopting the best practices as much as we can.
    I would offer another tactical thought, at least for you to 
consider. We test currently. Under FISMA, we measure whether or 
not individuals in the agencies are taking courses on awareness 
about information security. We are not measuring how many of 
them pass, how many of them retain the information, are they 
current. We are measuring whether or not they were offered a 
course.
    I think pushing actual measurement of the results down 
through the Federal enterprise would probably do more.
    Mr. Clay. Thank you for that suggestion.
    Mr. Kurtz, please?
    Mr. Kurtz. I think I would probably come out where Mr. 
Lewis is. I think the Government ought to use the power of 
procurement to encourage vendors to at least talk, to describe 
what common best practices they are meeting in order to improve 
software assurance. I think if the Government were to get into 
the business of establishing that software assurance criteria, 
it would have a chain effect on R&D and investment in this 
space.
    I do know that industry is working to identify for itself 
those common standards, and so I would let the marketplace work 
and then use that in the procurement process to encourage or to 
incentivize vendors to demonstrate to the Federal Government 
that they have actually met whatever the private sector 
standard is for software coding, improved software coding.
    Mr. Clay. Thank you for that response.
    Mr. Carlson, please?
    Mr. Carlson. Having some experience developing our own 
product certification program, I think there are some important 
caveats to throw out there. One, it is hard work. It takes a 
lot of time. It is thankless work. You get a lot of push-back 
from the vendor community in terms of doing it.
    I think, in light of Paul's comments in terms of the NIAP 
process, the common criteria, some of the challenges it is 
facing, it is probably not the best tool that you can use. It 
is an important tool, and it would sure be helpful if we had 
some sort of means by which a company could go through a 
process to somehow demonstrate that they are as safe as the 
test could possibly determine. But I think it is important for 
the Congress and the administration to keep their eyes on the 
ball in terms of the broader picture, that this is just one 
tool of many or one factor out of many that really need to be 
thought about in terms of where do you put the investment to 
secure an information security program, which is much broader. 
Encryption is a piece of it. Authentication, access controls, 
the vendor management component of it, the training of users 
and employees--the list is fairly lengthy in terms of how you 
do it.
    Software is an important part of it in terms of that 
hackers are very good at going through and deciphering where 
there are vulnerabilities and then exploiting those codes, so 
that is an important role that software companies have to play. 
But it needs to be thought of in conjunction of an entire 
information security program, and whatever program the next 
version of FISMA is needs to take that into account and to be 
much more risk based, more performance based in terms of 
keeping an eye on those risks, because they are going to change 
and you don't want to be solving yesterday's problem in 
tomorrow's reality, which could be a very different equation.
    Mr. Clay. Thank you for that assessment.
    Mr. Lewis, you can wrap it up.
    Mr. Lewis. Thank you. Thank you, Mr. Chairman.
    It is not a bad idea, but I would say the following things: 
You want a process that is more flexible, certainly more 
flexible than common criteria, which produced mountains of 
paper over a very long period of time. You want it to be 
industry driven. It is not that one company or the other has an 
answer, but, taken as a whole, they know what the state of play 
is, and that is probably the best place to go.
    You want it to be in partnership with Government, some new 
way of combining something a little less than regulation, a 
little more than voluntary effort. You want to look at best 
practices. I would say stay away from certification. But if you 
can pull all those in, as Mr. Carlson said, if you can pull all 
those pieces in what is a thankless process together, you can 
get some traction out of it.
    Thank you.
    Mr. Clay. Thank you. And let me thank the entire panel for 
your presence here today. You have certainly added something 
constructive to this discussion. I appreciate it very much.
    That concludes this hearing. Thank you all very much.
    [Whereupon, at 4:40 p.m., the subcommittees were 
adjourned.]

                                 
